Recipient-based filtering in a publish-subscribe messaging system

ABSTRACT

Implementations are described which provide for recipient-based filtering of an event that relates to a topic to which consumers are subscribed. Responsive to determining that an attribute of the event includes a set of one or more identifiers for intended recipients for the event, the event is delivered to consumers that correspond to the intended recipients. Alternatively, responsive to determining that the attribute of the event does not include a set of one or more identifiers for intended recipients for the event, the event is delivered to all of the consumers subscribed to the topic to which the event relates.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 17/024,180,filed Sep. 17, 2020, which is a continuation of application Ser. No.16/671,148, filed Oct. 31, 2019, which is hereby incorporated byreference.

TECHNICAL FIELD

One or more implementations relate to the field of publish-subscribemessaging systems; and more specifically, to recipient-based filteringin such systems.

BACKGROUND ART

A publish-subscribe messaging system (a “pub-sub system”) allow apublisher of an event (also referred to as a message) to publish theevent without knowledge of the consumers subscribed to that topic. Anevent is any identifiable unit of data that conveys information about anoccurrence or entity in a computing system and a topic is a commoncharacteristic of events. For example, an event may convey that adocument has been modified and relate to a topic concerning thatdocument. A consumer consumes events (e.g., after subscribing to receiveevents in a pub-sub system) and a publisher publishes an event (i.e.,causes the event to be made available in a source of data).

Typically, publish-subscribe message systems provide topic-basedfiltering. In topic-based filtering, 1) an event is related to andconsumers subscribe to one or more topics, and 2) an event is filteredto be delivered to a consumer based on a) the topics to which theconsumer has subscribed and b) the topic to which the event relates.

The scalability of a typical pub-sub system is limited by the number oftopics that the system supports. Also, an event that relates to a topicwill be delivered to all consumers that have subscribed to receiveevents that relate to the topic, over which the publisher has limitedcontrol (e.g., the publisher can choose not to publish a message toavoid that message being delivered to all such consumers).

BRIEF DESCRIPTION OF THE DRAWINGS

The following figures use like reference numbers to refer to likeelements. Although the following figures depict various exampleimplementations, alternative implementations are within the spirit andscope of the appended claims. In the drawings:

FIG. 1A is a block diagram showing a system for recipient-basedfiltering in a publish-subscribe messaging system, according to someexample implementations.

FIG. 1B is a flow diagram showing operations for recipient-basedfiltering in a publish-subscribe messaging system, according to someexample implementations.

FIG. 1C is a flow diagram showing operations for adding an event to asource of events, according to some example implementations.

FIG. 2A is a block diagram showing an event with a header, according tosome example implementations.

FIG. 2B is a block diagram showing an event with an embedded header,according to some example implementations.

FIG. 2C is a flow diagram showing operations for retrieving an eventfrom a source of events, according to some example implementations.

FIG. 3 is a diagram showing an exemplary application usingrecipient-based filtering in a publish-subscribe messaging system.

FIG. 4A is a block diagram illustrating an electronic device accordingto some example implementations.

FIG. 4B is a block diagram of a deployment environment according to someexample implementations.

DETAILED DESCRIPTION

The following description describes implementations for recipient-basedfiltering of an event that relates to a topic to which consumers aresubscribed. Recipient-based filtering, in the context of events, isfiltering of an event to be delivered to a consumer based on intendedrecipients for that event (i.e., a recipient to which an event isintended to be delivered). Typical pub-sub systems allow a publisher ofthe event to publish it without knowledge of the consumers subscribed tothe topic. By changing the publish-subscribe paradigm, implementationsdescribed herein may provide finer-grained control over delivery ofevents to consumers by performing recipient-based filtering, and thusimprove flexibility for publishers, relevance for consumers, and/orefficient use of computing resources in publish-subscribe messaging.

Recipient-Based Filtering and Selective Delivery

FIG. 1A is a block diagram showing a system for recipient-basedfiltering in a publish-subscribe messaging system, according to someexample implementations. FIG. 1A shows a server 100, a source of events103, and another server 106. A request to publish a first event 109includes data for a first event 115A. Typically, an event includes oneor more attributes. An attribute (also referred to as a field) of anevent is a part of an event that contains one or more values. Theattributes included in an event can be referred to as a payload or abody of the event (and may or may not include an identifier (ID) for atopic (also referred to as a topic ID) and other attributes). However,some implementations support an event including a header, which may beseparate from or included in the body of the event and which may includeone or more attributes. The data for the first event includes: 1) topicID 127A (with a value of “Y”), a payload 130A (for which values are notshown), and an attribute 133A that includes a set of IDs for intendedrecipients 136A-C(i.e., intended recipients for the first event 115A).Included in the exemplary set of IDs for intended recipients is an IDwith value “1” and optionally other IDs with values “4” and “2.”

Adding an Event to a Source of Events

Implementations may support different ways of receiving a request topublish an event. A request to publish an event is a request to make anevent available in a source of events. With reference to FIG. 1C, someimplementations include different optional blocks in block 188 wherein arequest to publish an event is received. For example, implementationsmay include block 191, where the request includes a set of identifiersfor the intended recipients. An identifier is data that identifies(e.g., an intended recipient of an event). In some implementations, anidentifier may be a unique identifier (i.e., an identifier thatidentifies a single entity, such as a single intended recipient); inother implementations, an identifier may be non-unique (i.e., identifiesmultiple entities). The request includes a payload and an identifier fora topic per block 193. Optionally, the payload and the identifier forthe topic are included in another event per block 195. Thus,implementations may support 1) a request including data for an event,the data including a payload and a topic ID, 2) that data being includedin another event, and/or 3) the request including a set of identifiersfor intended recipients.

Supporting these different ways of receiving a request allows forcreating an event from data, creating an event based on another eventwhich includes that data, and/or creating an event with a set of IDs forintended recipients provided in the request. These options providedifferent possibilities for interfacing with existing pub-sub systems.For example, an implementation can be added on to an existing pub-subsystem, an event published in that system can be received in block 188,and the event enhanced with a set of identifiers for recipient-basedfiltering. Additionally or alternatively, before an event is created inan existing pub-sub system, an implementation can receive data in block188 from which the event is created.

In block 118, a set of IDs for the intended recipients for the event canbe automatically selected. This may occur, for example, when a set ofIDs is not provided in a request. Automatically selecting the set of IDsmay be based on one or more of 1) the topic ID included in the request;2) the payload included in the request; 3) the publisher of the event(i.e., the component, user, application, etc. which submitted therequest to publish the event (if known)); 4) the IDs included in sets ofIDs for other events (e.g., which relate to the same or related topicIDs, which share common attributes and/or values for those attributes,which were published by the same publisher or related publishers (e.g.,publishers from the same organization, user group, and/or role;publishers from the same application and/or application instance;etc.)); 5) one or more consumers that have registered with the server;6) one or more consumers that are flagged or otherwise determined asactive (e.g., have indicated to the server of source of events that theyare currently receiving events, that have been included in a set of IDsfor a given number of events over a given period of time); 7) one ormore consumers included in one or more application instances currentlyused by one or more users; etc. Automatically selecting IDs based on onemore of these and/or other factors gives an implementation a powerfuland flexible way of performing recipient-based filtering in a pub-subsystem. Some implementations may allow automatic selection to occurbased on a set of one or more rules (e.g., which can be processed by arules engine to perform the automatically selecting IDs) captured invarious ways (e.g., in a text file, through a user interface, etc.).

Automatically selecting a set of IDs for the intended recipients may beuseful even when a set of IDs is provided in the request. For example,the automatically selected set might be provided as a proposed set ofintended recipients (e.g., to a user of an application instance which ispublishing an event), or only those automatically selected intendedrecipients which were not included in the set of IDs provided in therequest might be proposed. In another example, automatically selectingthe set of IDs for intended recipients may define the set of possibleintended recipients for an event (e.g., to enforce privileges and/orroles accorded to the user, publisher, and/or intended recipient(s)provided in the request), and thus the set of IDs for intendedrecipients taken from the intersection of the set of IDs provided in therequest and those automatically selected.

As shown in FIG. 1A, block 118 for automatically selecting a set of IDsfor the intended recipients for the second event may be implemented inserver 100 (which adds one or more events to a source of events).Additionally or alternatively, block 118 may be implemented in anapplication (not shown). For example, an application may perform block118 based on the context of (e.g., data available to) one or moreinstances of the application. Such an example is discussed in relationto FIG. 3 . Where block 118 is implemented outside the server 100, theserver may call block 118 via a callback or another mechanism (e.g., afunction pointer, a functor, an application programming interface (API)endpoint, a webservice, etc.) to execute the block and receive the setof IDs for the intended recipients for the event that were automaticallyselected.

Returning to block 121 in FIG. 1A, the first event is added to a sourceof events 103 with an attribute that includes a set of IDs for intendedrecipients. In block 124, a second event is added to the source ofevents 103. The second event 115B includes a topic ID 127B (with value“Y”) and a payload 130B (for which values are not shown) and anattribute 133B. In contrast to the first event 115A, the second event115B does not include a set of IDs for intended recipients in attribute133B. In some implementations, the attribute 133B is optional, and maynot be provided in the request to publish a second event 112 (asindicated by the dashed lines around the attribute with text“Attribute”).

As described herein, a source of events (such as source of events 103)is a source from which events can be read by a consumer; e.g., an eventbus or message bus, a stream, a cache, a database, a datastore, a file,etc. In some implementations, a publisher could be considered a sourceof events if the publisher is a source from which a consumer can readevents. With reference to FIG. 1B, an event is added to a source ofevents in block 160 (cf. blocks 121 and 124 shown in FIG. 1A). The eventmay include at least a payload, an identifier for the topic, and anattribute that includes a set of one or more identifiers for intendedrecipients for the event, per block 161.

After the first and second events have been added to the source ofevents 103, server 106 can retrieve those events respectively in block164, wherein an event is retrieved from the source of events. In otherimplementations, one or more events can be submitted to server 106(e.g., by another component which reads the events from the source ofevents 103 and submits them to server 106). In yet otherimplementations, server 100 and server 106 may be combined and theoperations performed by server 100 and server 106 performed by a singleserver.

Delivering an Event

Server 106 may implement one or more of the blocks shown in FIG. 1B(some of which are also shown in FIG. 1A). In block 167, an event isdelivered. This delivery is selective in that it is based on the outcomeof one or more of the decision blocks included in block 167. As part ofblock 167, block 139 includes determining whether an attribute of theevent includes a set of one or more identifiers for intended recipientsof the event. An implementation can perform this determination indifferent ways; e.g., block 139 may identify whether any attributesincluded in the event have a well-defined identifier for including a setof IDs for intended recipients (e.g., an attribute with a name such as“recipients” or a corresponding identifier, which may be unique forattributes that include a set of IDs for intended recipients).Additionally or alternatively, an implementation might identify whethervalues of attributes included in the event include a set of IDs forintended recipients (e.g., if a unique identifier for such an attributeis not used). Block 139 optionally includes block 170, which includesdetermining whether the event includes an attribute which includesidentifiers for intended recipients. If the event does include such anattribute, flow passes from block 170 to block 173, while if the eventdoes not include such an attribute, flow passes from block 170 to block179. Optional block 173 includes determining whether the attributeincludes an empty set of identifiers for intended recipients. If theattribute does include an empty set, flow passes from block 173 to block179, while if the attribute does not include an empty set (i.e.,includes a non-empty set), flow passes from block 173 to block 141.Thus, the optional blocks in block 139 support implementations where 1)an event does not have an attribute which includes IDs for intendedrecipients; and 2) an event has such an attribute but that attributeincludes an empty set of IDs.

Where an attribute of the event includes a non-empty set of IDs forintended recipients, flow passes to block 141 as discussed. Block 141includes operations that are performed for each consumer subscribed tothe topic to which the event relates. In some implementations, theconsumers subscribed to the topic are known to server 106 (e.g., theconsumers registered with server 106 which stores or has access to IDsfor those consumers). In other implementations, server 106 receives IDsfor those consumers (e.g., by querying a registry, by querying otherservers with which consumers have registered, etc.). In yet otherimplementations, each server of a group of servers may perform block 141with regard to the consumers known to that server, and the serverscommunicate with each other (e.g., a first server of the group mightindicate to others of the group that block 141 is to be performed forthe consumers).

Implementations are described where, for each consumer subscribed to thetopic, block 144 determines whether the set of IDs included in theattribute includes an ID for the consumer. However in alternativeimplementations (not shown), for each ID in the set of IDs, a blockdetermines whether the ID is an ID for a consumer subscribed to thetopic. The different approaches may provide different performancecharacteristics depending on one or more factors including 1) the numberof IDs in the set of IDs, 2) the number of consumers subscribed to thetopic (and/or the consumers for which block 141 is executed by theserver), and/or 3) whether the IDs include IDs for consumers which arenot subscribed to the topic (which may occur, for example, if a consumerhas unsubscribed, if an ID was erroneously included, etc.) or to whichthe event cannot be delivered (e.g., due to lack of privileges of thepublisher and/or consumer, due to unavailability, etc.). For example, ifthe set of IDs includes a relatively small number of IDs and the numberof consumers subscribed to the topic is relatively large, determiningwhether an ID corresponds to that of a consumer might result in feweriterations than determining whether a consumer's ID is included in theset. Conversely, if the set of IDs includes a relatively large number ofIDs and the number of consumers subscribed to the topic is relativelysmall, determining whether a consumer's ID is included in the set mightresult in fewer iterations than determining whether an ID corresponds tothat of a consumer. If the set of IDs includes IDs of consumers notsubscribed to the topic, determining whether a consumer's ID is includedin the set will obviate trying to determine a corresponding consumer.Some implementations may support both of these approaches and select oneautomatically depending on the factors mentioned, the performance ofprevious executions of block 141, a configuration for theimplementation, etc.

If the set of identifiers includes an identifier for the consumer asdetermined in block 144, flow passes to block 147 and the event is addedto a data structure associated with the consumer. A data structureorganizes and stores data either temporarily or permanently. Examples ofdata structures include a queue, a map, a tree, a list, an array, etc.Some data structures may support different ordering semantics. Forexample, a list or queue may be implemented such that the a first entry(e.g., an event) which is added 1) will be retrieved before a secondentry (e.g., another event) which is added will be retrieved (also knownas “first-in, first-out” (FIFO) semantics) or 2) after the second entrywill be retrieved (also known as “last-in, first-out (LIFO) semantics).A map or tree may organize and store entries to favor some operationsover others (e.g., to favor faster additions to the map or tree overremovals). A data structure may include functionality that transmits anyentries the structure includes (e.g., via a network socket, viaHyperText Transfer Protocol (HTTP) messaging, via messages, etc.); inother implementations, that functionality may be separate from a datastructure and act on it. To favor transmitting to a consumer (or havinga consumer receive) events in the order in which they are added to thedata structure, an event can be transmitted (or received) in the orderin which the event is added (e.g., with FIFO semantics). Such an ordermay approximate a chronological order in which an event is retrievedfrom a source of events, added to the source of events, and/orpublished, relative to other events that relate to the topic.

Returning to FIG. 1A, the first event is added to a subset of the datastructures 150. FIG. 1A shows several data structures 153A-N: datastructure 153A, data structure 153B, data structure 153J, and datastructure 153N (each shown abbreviated with “struct”). Each of thesedata structures are associated with a respective one of the consumerssubscribed to the topic 159A-N. Consumer 159A has an ID shown with value“1”; consumer 159B has an ID shown with value “4”; consumer 159J has anID shown with value “2”; and consumer 159N has an ID shown with value“X.” First event 115A includes, in the set of IDs for intendedrecipients 136A-C, IDs with values “1,” “4,” and “2”; i.e., the IDs forconsumers 159A, 159B, and 159J respectively. When block 144 is performedfor each of these consumers, the set of IDs included in the first eventis determined as including an ID for the consumer and in block 147, thefirst event is added to the data structure associated with thatconsumer. Consequently, first event 115A is added to data structures153A, 153B, and 153J (which are associated with consumers 159A, 159B,and 159J), but not to data structure 153N. Thus, the first event isadded to a subset of the data structures 153A-N.

Although FIG. 1A shows that the first event is added to a subset of datastructures 150, the adding may occur iteratively (e.g., when block 147is executed) or in bulk (e.g., by identifying the data structures towhich the event is to be added, then adding the event to those datastructures). Other implementations may not include data structures butsupport different ways of delivering events to consumers (e.g., deliverevents to consumers without adding the events to data structures, suchas transmitting an event to a consumer without adding the event to adata structure as an intermediate step).

With reference to FIG. 1B, from block 141, flow passes to block 176. Inblock 176, the event (e.g., first event 115A) is delivered to only asubset of all of the consumers (e.g., consumers 159A, 159B, and 159J)that corresponds to the intended recipients (e.g., consumers with IDs“1,” “4,” and “2”) based on a subset of the data structures to which theevent was added (e.g., data structures 153A, 153B, and 153J). Deliveringan event to a consumer means sending an event to or making an eventavailable for a consumer such that the consumer can consume the event.Thus, implementations allow for selective delivery of an event toconsumers, based on an attribute included in the event (or lack thereof)and the set of IDs for intended recipients for the event (or lackthereof).

One of skill in the art will recognize that delivery to a subset of allof the consumers is dependent on the set of IDs including feweridentifiers than for all of the consumers. Feasibly, IDs for all of theconsumers could be included in the set of IDs, in which case, block 176would include delivering the event to all of the consumers thatcorrespond to the intended recipients. On its face, including IDs forall consumers in the set of IDs appears not to provide advantages overtopic-based filtering in pub-sub systems (or over including an empty setof IDs, omitting a set of IDs, or omitting the attribute). But theconsumers subscribed to a topic at a given time may not be the sameconsumers subscribed to the topic at an earlier or later time. For anillustrative example, published events may later be “replayed” (e.g.,delivered to one or more consumers again responsive to receiving arequest). Since the time that the replayed events were published,subscription to the topic to which the event relates may have changed.If the event did not include intended recipients, some implementationsmay replay the event to the consumers currently subscribed to the topicrather than those subscribed when the events were first delivered (andthus one or more consumers which requested the replay might receiveevents which they were not subscribed to receive at the time the eventswere first delivered, and/or one or more consumers might not receiveevents which they were subscribed to receive at that time). Thus,including IDs for all consumers in the set of IDs for intendedrecipients will effectively fix the intended recipients in time andreplaying the events will result in the event being replayed to the sameintended recipients. Implementations which support replaying events maysupport different options of course; e.g., replaying events to thoseconsumers subscribed at the time the events were first delivered,replaying events to currently-subscribed consumers that were alsosubscribed at that time, replaying events to consumers subscribed atthat time that are also currently-subscribed, etc.

Delivering an event to only a subset of consumers contrasts with howpub-sub systems typically operate. As mentioned, typical pub-sub systemsperform topic-based filtering. In such a system, an event associatedwith a topic will be delivered to all of the consumers subscribed to theevent. Delivering an event to only a subset of consumers, based on IDsfor consumers included in an attribute of the event, allows thepublisher of the event more flexibility. For example, the publisher canchoose to have an event delivered to any combination of consumerssubscribed to the event topic, rather than choosing whether to publishan event to all consumers (or none). This fine-grained level of controldoes not require creating additional topics and is not bounded by limitson the number of topics that can be created in the pub-sub system. Apublisher can also specify different sets of intended recipients fordifferent events (e.g., a publisher can specify intended recipients ofan event on a per-event basis). A given event may be more relevant to asubset of all the consumers subscribed to the topic, or the event may beof a nature such that the event should only be delivered to a subset ofall the consumers (e.g., the event includes confidential data). From aconsumer's perspective, the informational content of an event receivedby the consumer is also enhanced because the consumer was an intendedrecipient for the event: this has significance compared to the eventbeing published for all consumers subscribed to the topic. The eventsthat the consumer receives are also more relevant. Improved relevancyreduces costs associated with receiving less relevant events. Forexample, a consumer may process a less relevant event only to discardit, representing wasted computing resources (both for the consumer andthe pub-sub system in terms of processing and network communications).Avoiding waste of computing resources is particularly salient forelectronic devices with relatively limited processing power (e.g., acellular telephone), when events are published and delivered atrelatively high rates and/or volumes, and/or in systems with arelatively large number of publishers and/or consumers.

Implementations also support delivering an event where the event doesnot include an attribute which includes a set of IDs for intendedrecipients of the event, and/or the event does include such an attributebut the set of IDs is empty. This support can be useful to ensure thatevents published by legacy publishers are delivered as they would havebeen delivered in the legacy systems. This support is also useful toprovide an additional option to publishers, however; if a publisherintends an event to be delivered to all of the consumers subscribed to atopic, the publisher can omit an attribute which includes a set of IDsfor intended recipients (or include the attribute but omit the set ofIDs or include an empty set of IDs). Other implementations are possible.For example, some implementations might not deliver an event when theevent does not include an attribute which includes a set of IDs forintended recipients, and/or the set of IDs is empty.

Returning to FIG. 1B, if an attribute of an event does not include a setof one or more identifiers for intended recipients of the event (orincludes an empty set), flow passes from block 139, 170, or 173 to block179. In block 179, the event is added to each of the data structures(i.e., the data structures for the consumers subscribed to the topic).From block 179, flow passes to block 182 and the event is delivered toall of the consumers (i.e., that are subscribed to the topic). Thus, inthe example shown in FIG. 1A, second event 115B does not include a setof IDs for intended recipients, includes an empty set of IDs, and/ordoes not include an attribute which includes a set of IDs. After block139 is executed, the second event is added to each of the datastructures 156. Specifically, second event 115B is added to datastructures 153A-N(second event 115B is shown as added to data structures153A, 153B, 153J, and 153N for brevity). Second event 115B is thendelivered to all of the consumers subscribed to the topic 159A-N(cf.block 182).

Although FIG. 1B shows that the event is delivered to all of theconsumers in block 182, those of skill in the art will recognize thatdelivering the event may occur iteratively (e.g., the event is deliveredto a given one of all of the consumers, then another of all of theconsumers, etc.) or in bulk (e.g., in implementations which include adata structure associated with all of the consumers). Also,implementations may include optional block 185, in which the event(e.g., first event 115A in FIG. 1A) is delivered to only a subset of allof the consumers that corresponds to the intended recipients based on asubset of the structures to which the event was added and another event(e.g., second event 115B in FIG. 1A) to all of the consumers. Thus,operations to deliver multiple events can be combined (and thus morethan one event delivered to a given consumer in bulk). Combiningoperations may improve performance by reducing the number of operationson the data structures, of writes to input-output ports, of networktraffic, etc.

Headers

FIG. 2A is a block diagram showing an event with a header, according tosome example implementations. A header is a portion of an event whichtypically contains one or more attributes that describe the event (e.g.,a time that the event was created, a version, a set of intendedrecipients, etc.). FIG. 2A shows event 200A which includes a header 210and a body 220. Header 210 includes an attribute 133 (i.e., withreference to FIG. 1A, an attribute that includes a set of IDs forintended recipients for the event) and a topic ID 127 (i.e., anidentifier for the topic to which event 200A relates). The payload 220Aincludes other attributes 230. Other implementations (not shown) mayinclude other attributes in header 210 (e.g., a creation time, aversion, etc.) and/or include topic ID 127 in payload 220A rather thanheader 210.

The structure of event 200A (i.e., the event having a header separatefrom the payload or body of the event) is potentially useful because theattributes stored in the header and the body are of interest todifferent components, and those components can then look to the headerand/or body for those attributes. The header (if implemented) is ofinterest to server 106 (e.g., for performing recipient-based filteringbased on attribute 133). The header may also be of interest to thesource of events 103 (e.g., for categorizing, storing, and/or makingavailable event 200A based on the header and/or its contents). Theheader may be of interest to the publisher of the event (not shown inFIG. 1A) for specifying the topic ID 127 and/or attribute 133. Byspecifying a header, components such as server 100, source of events103, server 106, etc. can identify a portion of an event which isexpected to contain information of interest.

Including a header in an event can also allow the header and the body ofthe event to be encrypted separately. Encrypting data means to encode itsuch that only authorized entities can decrypt it (and decrypting datameans to decode encrypted data such that it can be read). In oneimplementation, an event's header may be unencrypted and the event'sbody encrypted. In another implementation, an event's header and bodymay be encrypted, but encrypted separately (i.e., using differentciphers, using different public-private key pairs, etc.). Either ofthese implementations provide for encrypted transmission of the event'spayload. In the latter implementation, the header can be decrypted(e.g., to perform recipient-based filtering) without decrypting thepayload (and thus risking data security, for example).

Encryption and decryption may be performed using a variety oftechniques; e.g., symmetric key and/or asymmetric key techniques. Wheresymmetric key techniques are used, the encryption/decryption key isshared between the component that encrypts the header and/or payload ofthe event (e.g., one or more of the publisher of the event, server 100,the source of events 103, etc.) and the component that decrypts theheader and/or payload (e.g., server 106 and/or one or more of consumerssubscribed to a topic 159A-N). Where asymmetric key techniques are used,the component that encrypts the header and/or payload uses a differentkey from that used by the component that decrypts the header and/orpayload (e.g., in public key encryption, where the component thatdecrypts has a private key for decryption, and the component thatencrypts has a public key for encryption (that is provided by thecomponent that decrypts)).

Since the header and payload can be encrypted and decrypted separately,when both are encrypted, 1) one or more components may encrypt theheader and payload, and 2) one or more other components may decrypt theheader and payload. For example, the publisher of an event may encryptthe payload of an event with a public key provided by a consumer whichis an intended recipient of the event, and server 100 or the source ofevents 103 may encrypt the header of the event with a public keyprovided by server 106. Then server 106 may decrypt the header of theevent with a private key corresponding to the public key that the serverprovided, and the consumer which is the intended recipient may decryptthe payload of the event with the private key corresponding to thepublic key that the consumer provided to the publisher. Otherimplementations are possible (e.g., a shared key is used by multipleconsumers to decrypt a payload of an event that is delivered to thoseconsumers, the server decrypts both the header and payload of an eventand delivers the event to one or more consumers securely (e.g., usingtransport layer security (TLS), secure sockets layer (SSL) technology,by re-encrypting the payload such that the consumers can decrypt it,etc.).

In contrast to FIG. 2A, FIG. 2B shows an event with an embedded header,according to some example implementations. Specifically, header 210 isincluded in payload 220B of event 200B together with topic ID 127 andother attributes 230. Alternatively, event 200B might not include header210 and attribute 133 is stored in the body of the event (i.e., inpayload 220B). Implementations herein might be based on using anexisting pub-sub system which does not support including a header in anevent such as shown in FIG. 2A. In those systems, an attribute for anevent can be included in the event's payload (as shown in FIG. 2B) toprovide the advantages of using recipient-based filtering.

A header may also be useful for serialization. Referring to FIG. 1A, anevent may be transmitted at various stages. For example, server 100 addsthe first event 115A to the source of events 103; server 106 retrievesthe first event from the source of events; and server 106 delivers thefirst event to a subset of the consumers subscribed to a topic 159A-N.An event may be serialized to be transmitted. Serializing an event meansconverting it from a format (e.g., JavaScript Object Notation (JSON),plain text, eXtensible Markup Language (XML), an object in anobject-oriented programming language, etc.) to another format (e.g., abinary-encoded format) for transmission. Deserializing an event meansconverting it to another format (e.g., JSON, plain text, XML, etc.) fromthe format (e.g., a binary-encoded format) in which the event wastransmitted. Serializing an event may reduce its size, thus meaning thatless data is transmitted to transmit the event. By including a header,the header may be deserialized separately from the body of an event.

FIG. 2C shows operations for retrieving an event from a source ofevents, according to some example implementations. In block 240, anevent is retrieved from a source of events. From block 240, flow passesto block 250. In block 250, a header of the event is deserialized. Insome implementations, the header is deserialized once (e.g., by server106). Deserializing the header once is more efficient than deserializingthe header multiple times (e.g., for each consumer to which the event isto be delivered).

From block 250, flow passes to block 260. In block 260, a set ofidentifiers is decrypted when the set of identifiers is encrypted.Decrypting the set of identifiers may include applying such techniquesas previously described.

From block 260, flow passes to block 167 (shown in more detail in FIG.1B) and the event is delivered. By using one or more of the optionalblocks shown in FIG. 2C, implementations can promote data security andmore efficient data transmission when delivering the event.

Exemplary Applications

FIG. 3 is a diagram showing an exemplary application usingrecipient-based filtering in a publish-subscribe messaging system. Morespecifically, FIG. 3 shows recipient-based filtering in the context ofmultiple users viewing and editing a document (document 330) viadifferent instances of an application (application instances 315A-D ofapplication 310).

Organization 300 includes users viewing the document 305A-D and otherusers not viewing the document 305E-N. An organization is a collectionof one or more natural and/or legal persons acting with a commonpurpose; e.g., a business entity. Each of the users viewing the document305A-D is using a respective one of application instances 315A-D, eachof which includes a respective one of consumers 325A-D of a first groupof consumers 320A to view document 330. The other users not viewing thedocument 305E-N are associated with a second group of consumers 320B. Adocument is an electronic record; e.g., of alphanumeric characters.Examples of documents include text files, accounting records,spreadsheets, etc.

FIG. 3 also shows detail of an exemplary one of the applicationinstances 315A-D; i.e., application instance 315D. In block 340, an editto the document (e.g., document 330) is received from the user viewingthe document (i.e., the user viewing the document through applicationinstance 315D, i.e., user 305D). Responsive to receiving the edit to thedocument, flow passes from block 340 to block 345. In block 345, arequest to publish a first event relating to the edit of the document(i.e., request to publish first event 350) is submitted to server 100(shown in FIG. 1A). By way of example, the data to be included as thepayload of the first event may include one or more attributesindicating 1) that the document has been edited, 2) the nature of theedit, 3) the time of the edit, 4) information to identify user 315D asthe author of the edit, etc.

Block 345 optionally includes block 355, wherein a set of identifiersfor the intended recipients for the first event is automaticallyselected. In block 360, the identifiers are based on consumersassociated with the users viewing the document (i.e., users viewing thedocument 305A-D). In some implementations, application instance 315Dreceives an indication of the others of the users viewing the documents305A-C through the application instances used by the others of the users(i.e., application instances 315A-C). In other implementations,application instance 315D receives such an indication in other ways(e.g., through document 330 which may store indications of the userswhich are currently viewing the document).

Responsive to receiving the request to publish the first event 350, insome implementations, server 100 adds the first event 365 to source ofevents 103 (described elsewhere herein). In other implementations, block118 is executed and a set of identifiers for the intended recipients forthe first event is automatically selected before the first event isadded to the source of events 103. In such implementations, theautomatically selecting may occur additionally or alternatively to theautomatically selecting performed in block 355 (and optionally block360) of application instance 315D. In the context of the exemplaryapplication shown in FIG. 3 , the automatically selecting may be basedon the first group of consumers 320A due to 1) those consumersregistering with server 100 when application instances 315A-D werelaunched, 2) application 315D previously having sent similar messages tothe first group of consumers 320 (e.g., other messages relating to anedit of the document); 3) the first group of consumers being flagged asactive (e.g., because they were included in a set of IDs for othermessages in a recent period of time); etc. If block 118 is performedadditionally to block 355 (and optionally block 360), different rulesmay apply to determine which IDs from the sets of IDs automaticallyselected in blocks 355 and 118 are included in the first event. Forexample, the IDs representing the intersection of the sets might beincluded in the first event, the set of IDs representing the union ofthe sets might be included in the first event, the IDs in only one andnot the other of the sets might be included in the first event, etc.

The first event 365 is retrieved from the source of events 103 by server106 (described elsewhere herein). In block 370, the first event isdelivered to the first group of consumers 320A (i.e., the consumersincluded in the application instances 315A-D used by the users viewingthe document 305A-D). The first event 365 may be more relevant to theusers viewing the document (and/or the respective application instancesthey are using) than to the other users not viewing the document. Forexample, application instances 315A-C may wish to perform one or moreoperations responsive to receiving first event 365, such as reflectingthe edit of the document in the copies of document 330 displayed inthose application instances, indicating to the users of the applicationinstances that an edit has been made, etc. In contrast, an edit to adocument that a user is not viewing might not be relevant to the user.

In block 375, an indication is received by application instance 315Dthat the document 330 is no longer being edited. In someimplementations, this indication may be received because a period oftime has elapsed during which no edit has been made; applicationinstance 315D is the only application instance with document 330 open;application instances 315A-C have shut down and application instance315D is being shut down; etc. From block 375, flow passes to block 380.

In block 380, another request is submitted to publish a second eventrelating to the editing of the document being completed (i.e., requestto publish second event 385). By way of example, the data to be includedas the payload of the second event may include one or more attributesthat indicate 1) that the document has been edited, 2) that the editingof the document has been completed, 3) the nature of the edit(s) to thedocument; 4) the time(s) of any edits to the document, 5) information toidentify the user(s) who performed the edits; etc.

Block 380 optionally includes block 387, wherein a set of identifiersfor the intended recipients for the second event is automaticallyselected. In block 389, the identifiers are based on consumersassociated with the users viewing the document (i.e., users viewing thedocument 305A-D) and on the other users not viewing the document 350E-N.In some implementations, application instance 315D receives anindication of the other users not viewing the document from a directory(e.g., of users in the organization 300), from metadata relating todocument 330 (e.g., users who have opened, viewed, and/or editeddocument 330), from an identity and access management system, from adatabase (e.g., which stores document 330, which stores a list of usersthat have indicated an interest in the document), etc.

Responsive to receiving the request to publish the second event 385, insome implementations, server 100 adds the second event 390 to source ofevents 103 (described elsewhere herein). In other implementations, block118 is executed and a set of identifiers for the intended recipients forthe second event is automatically selected before the second event isadded to the source of events 103. In such implementations, theautomatically selecting may occur additionally or alternatively to theautomatically selecting performed in block 355 (and optionally block360) of application instance 315D. In the context of the exemplaryapplication shown in FIG. 3 , the automatically selecting may be basedon the first and second groups of consumers 320A and 320B due to 1) thefirst group of consumers registering with server 100 when applicationinstances 315A-D were launched, 2) application 315D previously havingsent similar messages to the first and second groups of consumers (e.g.,other messages relating to editing of a document being completed); 3)the first and/or second groups of consumers being flagged as active(e.g., because they were included in a set of IDs for other messages ina recent period of time); 4) a rule (e.g., received by server 100) forautomatically generating sets of IDs for events relating to editing of adocument being completed; etc. If block 118 is performed additionally toblock 355 (and optionally block 360), different rules may apply todetermine which IDs from the sets of IDs automatically selected inblocks 355 and 118 are included in the second event, as previouslydiscussed.

After the second event 390 is added to source of events 103, the secondevent 390 is retrieved from the source of events 103 by server 106(described elsewhere herein).

In block 395, the second event is delivered to the first group ofconsumers (i.e., the consumers included in the application instances315A-D used by the users viewing the document 305A-D) and the secondgroup of consumers 320B (i.e., the consumers with which the other usersnot viewing the document 305E-N are associated). The second event 390may be relevant to both the first and second groups of consumers. Forexample, the second event may be relevant to the first group ofconsumers because the application instances which include the consumersof the first group may perform operations responsive to receiving thesecond event (e.g., indicate to the instances' respective users thatediting has been completed). The second event may also be relevant tothe second group of consumers; e.g., to indicate to the other users thatdocument 330 was edited, to initiate a workflow whereby any edits to thedocument are reviewed, to generate and send emails or other forms ofnotification to the other users, etc.

Thus, FIG. 3 shows 1) an application instance causing the publication ofa first event to a set of intended recipients, 2) automatic selection ofthat set of intended recipients by the application instance 315D and/orserver 100, and 3) selective delivery of the first event to thoseintended recipients. FIG. 3 also shows 1) an application instancecausing the publication of a second event to a different set of intendedrecipients, 2) automatic selection of that different set of intendedrecipients, and 3) selective delivery of the second event to thoseintended recipients.

An application such as that described in FIG. 3 illustrates some of theadvantages of the implementations described herein. The first event 365may be more relevant to the users viewing the document (and/or therespective application instances they are using) than to the other usersnot viewing the document, whereas the second event may be relevant toboth groups of users. In contrast with a typical pub-sub system, theexemplary application 310 provides finer-grained control over deliveryof the first and second events to consumers by performingrecipient-based filtering. In doing so, the application improves therelevance of the event for the consumers and avoids wasteful delivery ofevents (e.g., delivery to users who are not viewing the document of anevent which relates to an edit of the document).

Example Electronic Devices and Environments

Electronic Device and Machine-Readable Media

One or more parts of the above implementations may include softwareand/or a combination of software and hardware. An electronic device(also referred to as a computing device, computer, etc.) includeshardware and software, such as a set of one or more processors coupledto one or more machine-readable storage media (e.g., magnetic disks,optical disks, read only memory (ROM), Flash memory, phase changememory, solid state drives (SSDs)) to store code (which is composed ofsoftware instructions and which is sometimes referred to as computerprogram code or a computer program) for execution on the set ofprocessors and/or to store data. For instance, an electronic device mayinclude non-volatile memory (with slower read/write times, e.g.,magnetic disks, optical disks, read only memory (ROM), Flash memory,phase change memory, SSDs) and volatile memory (e.g., dynamic randomaccess memory (DRAM), static random access memory (SRAM)), where thenon-volatile memory persists code/data even when the electronic deviceis turned off or when power is otherwise removed, and the electronicdevice copies that part of the code that is to be executed by the set ofprocessors of that electronic device from the non-volatile memory intothe volatile memory of that electronic device during operation becausevolatile memory typically has faster read/write times. As anotherexample, an electronic device may include a non-volatile memory (e.g.,phase change memory) that persists code/data when the electronic deviceis turned off, and that has sufficiently fast read/write times suchthat, rather than copying the part of the code/data to be executed intovolatile memory, the code/data may be provided directly to the set ofprocessors (e.g., loaded into a cache of the set of processors); inother words, this non-volatile memory operates as both long term storageand main memory, and thus the electronic device may have no or only asmall amount of volatile memory for main memory. In addition to storingcode and/or data on machine-readable storage media, typical electronicdevices can transmit code and/or data over one or more machine-readabletransmission media (also called a carrier) (e.g., electrical, optical,radio, acoustical or other form of propagated signals—such as carrierwaves, infrared signals). For instance, typical electronic devices alsoinclude a set of one or more physical network interface(s) to establishnetwork connections (to transmit and/or receive code and/or data usingpropagating signals) with other electronic devices. Thus, an electronicdevice may store and transmit (internally and/or with other electronicdevices over a network) code and/or data with one or moremachine-readable media (also referred to as computer-readable media).

Electronic devices (also referred to as devices) are designed for and/orused for a variety of purposes, and different terms may reflect thosepurposes (e.g., user devices, network devices). Some user devices aredesigned to mainly be operated as servers (sometime referred to asserver devices), while others are designed to mainly be operated asclients (sometimes referred to as client devices, client computingdevices, client computers, or end user devices; examples of whichinclude desktops, workstations, laptops, personal digital assistants,smartphones, wearables, augmented reality (AR) devices, virtual reality(VR) devices, etc.). The software executed to operate a user device(typically a server device) as a server may be referred to as serversoftware or server code), while the software executed to operate a userdevice (typically a client device) as a client may be referred to asclient software or client code. A server provides one or more servicesto (also referred to as serves) one or more clients.

The term “user” refers to an entity (e.g., an individual person) thatuses an electronic device, and software and/or services may usecredentials to distinguish different accounts associated with the sameand/or different users. Users can have one or more roles, such asadministrator, programmer/developer, and end user roles. As anadministrator, a user typically uses electronic devices to administerthem for other users, and thus an administrator often works directlyand/or indirectly with server devices and client devices.

FIG. 4A is a block diagram illustrating an electronic device 400according to some example implementations. FIG. 4A includes hardware 420comprising a set of one or more processor(s) 422, a set of one or morenetwork interfaces 424 (wireless and/or wired), and non-transitorymachine-readable storage media 426 having stored therein software 428(which includes instructions executable by the set of one or moreprocessor(s) 422). One or more implementations described herein may beimplemented as a service (e.g., a recipient-based filtering service).Each of the previously described server(s) and source of events may beimplemented in one or more electronic devices 400. In oneimplementation, server 106 can be part of a recipient-based filteringservice. In some implementations, the recipient-based filtering servicemay include the source of messages 103. Additionally or alternatively,the recipient-based filtering service may include server 100. In otherimplementations, 1) the recipient-based filtering service may includeany combination of one or more of server 100, source of events 103, andserver 106; and 2) those of server 100, source of events 103, and server106 not included in the combination are implemented as separate servicesto the recipient-based filtering service. In one implementation therecipient-based filtering service can be available to one or moreclients (such as consumers). In one implementation: 1) each of theclients is implemented in a separate one of the electronic devices 400(e.g., in end user devices where the software 428 represents thesoftware to implement clients to interface directly and/or indirectlywith the recipient-based filtering service (e.g., software 428represents a web browser, a native client, a portal, a command-lineinterface, and/or API based upon protocols such as Simple Object AccessProtocol (SOAP), REpresentational State Transfer (REST), etc.)); 2) therecipient-based filtering service is implemented in a separate set ofone or more of the electronic devices 400 (e.g., a set of one or moreserver devices where the software 428 represents the software toimplement the recipient-based filtering service); and 3) in operation,the electronic devices implementing the clients and the recipient-basedfiltering service would be communicatively coupled (e.g., by a network)and would establish between them (or through one or more other layersand/or or other services) connections for submitting event(s) and/ordata therefor to the recipient-based filtering service and event(s)being delivered to the clients. Other configurations of electronicdevices may be used in other implementations (e.g., an implementation inwhich the client and the recipient-based filtering service areimplemented on a single electronic device 400).

During operation an instance of the software 428 (illustrated asinstance 406A and also referred to as a software instance; and in themore specific case of an application, as an application instance) isexecuted. In electronic devices that use compute virtualization, the setof one or more processor(s) 422 typically execute software toinstantiate a virtualization layer 408 and software container(s) 404A-R(e.g., with operating system-level virtualization, the virtualizationlayer 408 may represent a container engine (such as Docker Engine byDocker, Inc. or rkt in Container Linux by Red Hat, Inc.) running on topof (or integrated into) an operating system, and it allows for thecreation of multiple software containers 404A-R (representing separateuser space instances and also called virtualization engines, virtualprivate servers, or jails) that may each be used to execute a set of oneor more applications; with full virtualization, the virtualization layer408 represents a hypervisor (sometimes referred to as a virtual machinemonitor (VMM)) or a hypervisor executing on top of a host operatingsystem, and the software containers 404A-R each represent a tightlyisolated form of a software container called a virtual machine that isrun by the hypervisor and may include a guest operating system; withpara-virtualization, an operating system and/or application running witha virtual machine may be aware of the presence of virtualization foroptimization purposes). Again, in electronic devices where computevirtualization is used, during operation an instance of the software 428is executed within the software container 404A on the virtualizationlayer 408. In electronic devices where compute virtualization is notused, the instance 406A on top of a host operating system is executed onthe “bare metal” electronic device 400. The instantiation of theinstance 406A, as well as the virtualization layer 408 and softwarecontainers 404A-R if implemented, are collectively referred to assoftware instance(s) 402.

Alternative implementations of an electronic device may have numerousvariations from that described above. For example, customized hardwareand/or accelerators might also be used in an electronic device.

Example Environment

FIG. 4B is a block diagram of a deployment environment according to someexample implementations. A system 440 includes hardware (e.g, a set ofone or more server devices) and software to provide service(s) 442,including the recipient-based filtering service. In some implementationsthe system 440 is in one or more datacenter(s). These datacenter(s) maybe: 1) first party datacenter(s), which are datacenter(s) owned and/oroperated by the same entity that provides and/or operates some or all ofthe software that provides the service(s) 442; and/or 2) third partydatacenter(s), which are datacenter(s) owned and/or operated by one ormore different entities than the entity that provides the service(s) 442(e.g., the different entities may host some or all of the softwareprovided and/or operated by the entity that provides the service(s)442). For example, third party datacenters may be owned and/or operatedby entities providing public cloud services (e.g., Amazon.com, Inc.(Amazon Web Services), Google LLC (Google Cloud Platform), MicrosoftCorporation (Azure)).

The system 440 is coupled to user devices 480A-S over a network 482. Theservice(s) 442 may be on-demand services that are made available to oneor more of the users 484A-S working for one or more entities other thanthe entity which owns and/or operates the on-demand services (thoseusers sometimes referred to as outside users) so that those entitiesneed not be concerned with building and/or maintaining a system, butinstead may make use of the service(s) 442 when needed (e.g., whenneeded by the users 484A-S). The service(s) 442 may communicate witheach other and/or with one or more of the user devices 480A-S via one ormore APIs (e.g., a REST API). The user devices 480A-S are operated byusers 484A-S.

In some implementations the system 440 is a multi-tenant system (alsoknown as a multi-tenant architecture). The term multi-tenant systemrefers to a system in which various elements of hardware and/or softwareof the system may be shared by one or more tenants. A multi-tenantsystem may be operated by a first entity (sometimes referred to amulti-tenant system provider, operator, or vendor; or simply a provider,operator, or vendor) that provides one or more services to the tenants(in which case the tenants are customers of the operator and sometimesreferred to as operator customers). A tenant includes a group of userswho share a common access with specific privileges. The tenants may bedifferent entities (e.g., different companies, differentdepartments/divisions of a company, and/or other types of entities), andsome or all of these entities may be vendors that sell or otherwiseprovide products and/or services to their customers (sometimes referredto as tenant customers). A multi-tenant system may allow each tenant toinput tenant specific data for user management, tenant-specificfunctionality, configuration, customizations, non-functional properties,associated applications, etc. A tenant may have one or more rolesrelative to a system and/or service. For example, in the context of acustomer relationship management (CRM) system or service, a tenant maybe a vendor using the CRM system or service to manage information thetenant has regarding one or more customers of the vendor. As anotherexample, in the context of Data as a Service (DAAS), one set of tenantsmay be vendors providing data and another set of tenants may becustomers of different ones or all of the vendors' data. As anotherexample, in the context of Platform as a Service (PAAS), one set oftenants may be third party application developers providingapplications/services and another set of tenants may be customers ofdifferent ones or all of the third-party application developers.

Multi-tenancy can be implemented in different ways. In someimplementations, a multi-tenant architecture may include a singlesoftware instance (e.g., a single database instance) which is shared bymultiple tenants; other implementations may include a single softwareinstance (e.g., database instance) per tenant; yet other implementationsmay include a mixed model; e.g., a single software instance (e.g., anapplication instance) per tenant and another software instance (e.g.,database instance) shared by multiple tenants.

In one implementation, the system 440 is a multi-tenant cloud computingarchitecture supporting multiple services, such as one or more of thefollowing:

Example Service(s) by Type of Service salesforce.com, inc. Customerrelationship Sales Cloud management (CRM) Configure, price, quote (CPQ)CPQ and Billing Business process Process Builder modeling (BPM) Customersupport Service Cloud, Field Service Lightning Marketing Commerce CloudDigital, Commerce Cloud Order Management, Commerce Cloud Store Externaldata connectivity Salesforce Connect Productivity QuipDatabase-as-a-Service Database.com ™ Data-as-a-Service Data.com (DAAS orDaaS) Platform-as-a-service Heroku ™ Enterprise, (PAAS or PaaS) Thunder,Force.com ®, Lightning, recipient-based filteringInfrastructure-as-a-Service (IAAS or IaaS) (e.g., virtual machines,servers, and/or storage) Analytics Einstein Analytics, Sales Analytics,Service Analytics Community Community Cloud, Chatter Internet-of-Things(IoT) Salesforce IoT, IoT Cloud Industry-specific Financial ServicesCloud, Health Cloud Artificial intelligence (AI) Einstein Applicationmarketplace AppExchange, (“app store”) AppExchange Store Builder Datamodeling Schema Builder Security Salesforce Shield Identity and accessField Audit Trail, management (IAM) Platform Encryption, IT Governance,Access Management, Salesforce Identity, Salesforce AuthenticatorFor example, system 440 may include an application platform 444 thatenables PAAS for creating, managing, and executing one or moreapplications developed by the provider of the application platform 444,users accessing the system 440 via one or more of user electronicdevices 480A-S, or third-party application developers accessing thesystem 440 via one or more of user electronic devices 480A-S.

In some implementations, one or more of the service(s) 442 may use oneor more multi-tenant databases 446, as well as system data storage 450for system data 452 accessible to system 440. In certainimplementations, the system 440 includes a set of one or more serversthat are running on server electronic devices and that are configured tohandle requests for any authorized user associated with any tenant(there is no server affinity for a user and/or tenant to a specificserver). The user electronic device 480A-S communicate with theserver(s) of system 440 to request and update tenant-level data andsystem-level data hosted by system 440, and in response the system 440(e.g., one or more servers in system 440) automatically may generate oneor more Structured Query Language (SQL) statements (e.g., one or moreSQL queries) that are designed to access the desired information fromthe one or more multi-tenant database 446 and/or system data storage450.

In some implementations, the service(s) 442 are implemented usingvirtual applications dynamically created at run time responsive toqueries from the user electronic devices 480A-S and in accordance withmetadata, including: 1) metadata that describes constructs (e.g., forms,reports, workflows, user access privileges, business logic) that arecommon to multiple tenants; and/or 2) metadata that is tenant specificand describes tenant specific constructs (e.g., tables, reports,dashboards, interfaces, etc.) and is stored in a multi-tenant database.To that end, the program code 460 may be a runtime engine thatmaterializes application data from the metadata; that is, there is aclear separation of the compiled runtime engine (also known as thesystem kernel), tenant data, and the metadata, which makes it possibleto independently update the system kernel and tenant-specificapplications and schemas, with virtually no risk of one affecting theothers. Further, in one implementation, the application platform 444includes an application setup mechanism that supports applicationdevelopers' creation and management of applications, which may be savedas metadata by save routines. Invocations to such applications,including the recipient-based filtering service, may be coded usingProcedural Language/Structured Object Query Language (PL/SOQL) thatprovides a programming language style interface. Invocations toapplications may be detected by one or more system processes, whichmanages retrieving application metadata for the tenant making theinvocation and executing the metadata as an application in a softwarecontainer (e.g., a virtual machine).

Network 482 may be any one or any combination of a LAN (local areanetwork), WAN (wide area network), telephone network, wireless network,point-to-point network, star network, token ring network, hub network,or other appropriate configuration. The network may comply with one ormore network protocols, including an Institute of Electrical andElectronics Engineers (IEEE) protocol, a 3rd Generation PartnershipProject (3GPP) protocol, a 4^(th) generation wireless protocol (4G)(e.g., the Long Term Evolution (LTE) standard, LTE Advanced, LTEAdvanced Pro), a fifth generation wireless protocol (5G), and/or similarwired and/or wireless protocols, and may include one or moreintermediary devices for routing data between the system 440 and theuser electronic devices 480A-S.

Each user electronic device 480A-S(such as a desktop personal computer,workstation, laptop, Personal Digital Assistant (PDA), smart phone,augmented reality (AR) devices, virtual reality (VR) devices, etc.)typically includes one or more user interface devices, such as akeyboard, a mouse, a trackball, a touch pad, a touch screen, a pen orthe like, video or touch free user interfaces, for interacting with agraphical user interface (GUI) provided on a display (e.g., a monitorscreen, a liquid crystal display (LCD), a head-up display, ahead-mounted display, etc.) in conjunction with pages, forms,applications and other information provided by system 440. For example,the user interface device can be used to access data and applicationshosted by system 440, and to perform searches on stored data, andotherwise allow a user 484 to interact with various GUI pages that maybe presented to a user 484. User electronic devices 480A-S mightcommunicate with system 440 using TCP/IP (Transfer Control Protocol andInternet Protocol) and, at a higher network level, use other networkingprotocols to communicate, such as HTTP, File Transfer Protocol (FTP),Andrew File System (AFS), Wireless Application Protocol (WAP), NetworkFile System (NFS), an application program interface (API) based uponprotocols such as Simple Object Access Protocol (SOAP), REST, etc. In anexample where HTTP is used, one or more user electronic devices 480A-Smight include an HTTP client, commonly referred to as a “browser,” forsending and receiving HTTP messages to and from server(s) of system 440,thus allowing users 484 of the user electronic device 480A-S to access,process and view information, pages and applications available to itfrom system 440 over network 482.

CONCLUSION

In the above description, numerous specific details such as resourcepartitioning/sharing/duplication implementations, types andinterrelationships of system components, and logicpartitioning/integration choices are set forth in order to provide amore thorough understanding. The invention may be practiced without suchspecific details, however. In other instances, control structures, logicimplementations, opcodes, means to specify operands, and full softwareinstruction sequences have not been shown in detail since those ofordinary skill in the art, with the included descriptions, will be ableto implement what is described without undue experimentation.

References in the specification to “one implementation,” “animplementation,” “an example implementation,” etc., indicate that theimplementation described may include a particular feature, structure, orcharacteristic, but every implementation may not necessarily include theparticular feature, structure, or characteristic. Moreover, such phrasesare not necessarily referring to the same implementation. Further, whena particular feature, structure, and/or characteristic is described inconnection with an implementation, one skilled in the art would know toaffect such feature, structure, and/or characteristic in connection withother implementations whether or not explicitly described.

For example, the figure(s) illustrating flow diagrams sometimes refer tothe figure(s) illustrating block diagrams, and vice versa. Whether ornot explicitly described, the alternative implementations discussed withreference to the figure(s) illustrating block diagrams also apply to theimplementations discussed with reference to the figure(s) illustratingflow diagrams, and vice versa. At the same time, the scope of thisdescription includes implementations, other than those discussed withreference to the block diagrams, for performing the flow diagrams, andvice versa.

Bracketed text and blocks with dashed borders (e.g., large dashes, smalldashes, dot-dash, and dots) may be used herein to illustrate optionaloperations and/or structures that add additional features to someimplementations. However, such notation should not be taken to mean thatthese are the only options or optional operations, and/or that blockswith solid borders are not optional in certain implementations.

The detailed description and claims may use the term “coupled,” alongwith its derivatives. “Coupled” is used to indicate that two or moreelements, which may or may not be in direct physical or electricalcontact with each other, co-operate or interact with each other.

While the flow diagrams in the figures show a particular order ofoperations performed by certain implementations, such order is exemplaryand not limiting (e.g., alternative implementations may perform theoperations in a different order, combine certain operations, performcertain operations in parallel, overlap performance of certainoperations such that they are partially in parallel, etc.).

While the above description includes several example implementations,the invention is not limited to the implementations described and can bepracticed with modification and alteration within the spirit and scopeof the appended claims. The description is thus illustrative instead oflimiting.

What is claimed is:
 1. A method in a server of a publish-subscribemessaging system for recipient-based filtering of a message that relatesto a topic to which consumers are subscribed, the method comprising:receiving a request to publish a message in the publish-subscribemessaging system according to the topic; automatically selecting a setof one or more consumer identifiers for intended recipients for themessage; adding the set of consumer identifiers to the message; andadding the message to an event bus, wherein the message is to bedelivered to only a subset of all of the consumers that are subscribedto the topic based on the added consumer identifiers.
 2. The method ofclaim 1, wherein the adding the set of consumer identifiers to themessage includes: adding the set of consumer identifiers to an attributeof a body of the message.
 3. The method of claim 1, wherein the addingthe set of consumer identifiers to the message includes: adding the setof consumer identifiers to an attribute of a header of the message. 4.The method of claim 1, wherein the set of consumer identifiers isencrypted and a remaining portion of the message is encryptedseparately.
 5. The method of claim 1, wherein the automaticallyselecting the set of consumer identifiers is performed based on one ormore of the topic, a publisher of the message, consumer identifiersincluded in one or more messages that share common attributes with themessage, one or more consumers that have registered with a server of thepublish-subscribe messaging system, one or more consumers that areactive.
 6. The method of claim 1, wherein the automatically selectingthe set of consumer identifiers is performed to enforce privilegesaccorded to one or more of a publisher of the message and the intendedrecipients.
 7. A non-transitory machine-readable medium that providesinstructions that, when executed by a processor, are capable of causingthe processor to perform operations for recipient-based filtering of amessage that relates to a topic to which consumers are subscribed, theoperations comprising: receiving a request to publish a message in apublish-subscribe messaging system according to the topic; automaticallyselecting a set of one or more consumer identifiers for intendedrecipients for the message; adding the set of consumer identifiers tothe message; and adding the message to an event bus, wherein the messageis to be delivered to only a subset of all of the consumers that aresubscribed to the topic based on the added consumer identifiers.
 8. Thenon-transitory machine-readable medium of claim 7, wherein the addingthe set of consumer identifiers to the message includes: adding the setof consumer identifiers to an attribute of a body of the message.
 9. Thenon-transitory machine-readable medium of claim 7, wherein the addingthe set of consumer identifiers to the message includes: adding the setof consumer identifiers to an attribute of a header of the message. 10.The non-transitory machine-readable medium of claim 7, wherein the setof consumer identifiers is encrypted and a remaining portion of themessage is encrypted separately.
 11. The non-transitory machine-readablemedium of claim 7, wherein the automatically selecting the set ofconsumer identifiers is performed based on one or more of the topic, apublisher of the message, consumer identifiers included in one or moremessages that share common attributes with the message, one or moreconsumers that have registered with a server of the publish-subscribemessaging system, one or more consumers that are active.
 12. Thenon-transitory machine-readable medium of claim 7, wherein theautomatically selecting the set of consumer identifiers is performed toenforce privileges accorded to one or more of a publisher of the messageand the intended recipients.
 13. An electronic device operating as aserver of a publish-subscribe messaging system for recipient-basedfiltering of a message that relates to a topic to which consumers aresubscribed, the electronic device comprising: a non-transitorymachine-readable medium that provides instructions that, when executedby a processor, are capable of causing the processor to performoperations comprising: receiving a request to publish a message in thepublish-subscribe messaging system according to the topic; automaticallyselecting a set of one or more consumer identifiers for intendedrecipients for the message; adding the set of consumer identifiers tothe message; and adding the message to an event bus, wherein the messageis to be delivered to only a subset of all of the consumers that aresubscribed to the topic based on the added consumer identifiers.
 14. Theelectronic device of claim 13, wherein the adding the set of consumeridentifiers to the message includes: adding the set of consumeridentifiers to an attribute of a body of the message.
 15. The electronicdevice of claim 13, wherein the adding the set of consumer identifiersto the message includes: adding the set of consumer identifiers to anattribute of a header of the message.
 16. The electronic device of claim13, wherein the set of consumer identifiers is encrypted and a remainingportion of the message is encrypted separately.
 17. The electronicdevice of claim 13, wherein the automatically selecting the set ofconsumer identifiers is performed based on one or more of the topic, apublisher of the message, consumer identifiers included in one or moremessages that share common attributes with the message, one or moreconsumers that have registered with a server of the publish-subscribemessaging system, one or more consumers that are active.
 18. Theelectronic device of claim 13, wherein the automatically selecting theset of consumer identifiers is performed to enforce privileges accordedto one or more of a publisher of the message and the intendedrecipients.